Key takeaways
- the long-awaited guidance on the offence of failure to prevent fraud has now been published (the Guidance). The offence of failure to prevent fraud will now come into force on 1 September 2025.
- The Guidance sets out fraud prevention procedures that large organisations will need to implement, to be able to assert a defence for failing to prevent fraud, under the Economic Crime and Corporate Transparency Act 2023 (ECCTA). The Guidance is based on the same six principles included in the guidance for the failure to prevent bribery[1] and tax evasion[2].
- The procedures included in the Guidance are also said to represent good practice for smaller organisations. Importantly, the Guidance is not intended to be exhaustive; the question of whether an organisation had reasonable procedures will be fact dependent and will be for companies to prove to the civil standard of proof, namely on the balance of probabilities.
- In very limited circumstances, the Guidance states it may be reasonable to have no prevention procedures in place. However, it will rarely be considered reasonable not to have conducted a risk assessment – it is suggested conducting a relevant documented risk assessment is a minimum standard. The Guidance flags that the mandatory company audit process under s.475 Companies Act 2006 is not sufficient as a reasonable procedures defence although it notes that audits are helpful tools toward achieving reasonable procedures.
- The Guidance gives greater emphasis to the use of technology solutions in prevention procedures. Indeed, four of the six principles suggests that relevant organisations look to technology solutions, data analytics and AI to form part of their reasonable prevention procedures.
- It remains to be seen whether agencies and the courts will concern themselves with degrees of reasonable, either as affecting the decision to prosecute, or, where prosecution takes place, the extent to which the prevention procedures in place provide any form of mitigation.
Failure to prevent fraud offence
- Chapter 2 of the Guidance provides an overview of the offence and the organisations that are in scope.
- The offence of failure to prevent fraud only applies to large organisations – i.e. those that meet two or three out of the following criteria: more than £36 million turnover; balance sheet of more than £18 million in assets; more than 250 employees.
- A company will commit the offence of failing to prevent fraud pursuant to section 199(1) ECCTA, if, someone associated with the company, such as an employee, agent or person providing services on its behalf commits fraud with the intention of benefiting the company or its clients, unless the company can demonstrate that it “had in place such prevention procedures as it was reasonable in all the circumstances to expect the body to have in place, or… it was not reasonable in all the circumstances to expect the body to have any prevention procedures in place.”[3]
- The Guidance at chapter 2.8 provides a number of examples of how such fraud might occur, including in respect of a number of sectors, such as an ESG fraud committed by a fund provider misleading investors about a company’s environmental credentials; or a water company falsifying its records on how much sewage it discharges into a river.
Reasonable Fraud Prevention Procedures
Chapter 3 of the Guidance sets out the six main principles that an organisation should apply to inform its fraud prevention procedures, with detailed guidance in respect of each. It further makes clear that these are outcome focussed.
- Principle 1 – Top Level Commitment
The board of directors, partners and senior management of a relevant organisation are responsible for preventing and detecting fraud; they should be committed to preventing fraud and should foster a culture in which fraud is never acceptable.
- Principle 2 – Risk Assessment
The relevant organisation conducts a dynamic and documented risk assessment which is kept under regular review, and which assesses the nature and extent of the organisation’s exposure to the risks of associated persons committing fraud.
- Principle 3 – Proportionate Risk-Based Prevention Procedures
The relevant organisation has clear, practical, accessible and effectively implemented and enforced procedures to prevent fraud by associated persons which are proportionate to the fraud risks it faces and to the nature, scale and complexity of the organisation’s activities.
- Principle 4 – Due Diligence
The relevant organisation applies proportionate and risk-based due diligence procedures in respect of persons who perform or will perform services for or on its behalf to mitigate identified fraud risks.
- Principle 5 – Communication (including training)
The relevant organisation seeks to ensure that’s its prevention policies and procedures are communicated, embedded and understood throughout the organisation, through internal and external communication (training and maintaining training is key).
- Principle 6 – Monitoring and Review
The relevant organisation monitors and reviews its fraud detection and prevention procedures and makes improvement where necessary – including by learning from investigations and whistleblowing incidents and reviewing information from its own sector.
- Chapter 3 includes a section dedicated to whistleblowing and cites Transparency International on the need to promote whistleblowing as “one of the most effective ways to uncover corruption, fraud, mismanagement and other wrongdoing”.[4] The emphasis placed on whistleblowing in the Guidance suggests, for at least the short-medium term, that whistleblowing procedures should be a key constituent part of the economic crime prevention procedures of “large organisations”[5].
- The Guidance points users to other sources of information to assist, such as Cifas and the Fraud Advisory Panel.
Interaction and overlap between legislative and regulatory regimes
Chapter 4 sets out the overlap with existing legislative and regulatory regimes, such as the auditing requirements, with a few examples.
[1] https://assets.publishing.service.gov.uk/media/5d80cfc3ed915d51e9aff85a/bribery-act-2010-guidance.pdf
[2] https://assets.publishing.service.gov.uk/media/5a82aaa0e5274a2e8ab58b82/Tackling-tax-evasion-corporate-offences.pdf
[3] Sections 199(4) and (5) ECCTA 2023
[4] Page 33 of the guidance refers to https://www.transparency.org/en/blog/internal-whistleblowing-systems-game-changer
[5] As defined by sections 201 and 202 ECCTA 2023.
Maria Cronin
Trustee, Fraud Advisory Panel